当前位置:网站首页>Introduction to MySQL audit plug-in

Introduction to MySQL audit plug-in

2022-07-01 15:00:00 InfoQ

Preface :

The database audit function mainly records the user's various operations on the database in the audit log , For future tracking 、 Inquire about 、 analysis , To monitor and audit user operations . Auditing is a very important work , It is also an important part of the enterprise data security system , The audit log is also required in the ISO evaluation . about  DBA  for , Database audit is also extremely important , Especially after a man-made accident , The audit log is convenient for us to trace responsibilities , Problem finding .
1. MySQL  Status of community audit log
If you're using a  MySQL  In the community version , You'll find that  MySQL  The official did not provide the audit log in the strict sense . although  MySQL  There are  binlog  And  general log , Although these two have some audit functions , However, it is generally inappropriate to treat it as an audit log .

binlog  Binary log file , It records all the execution of the database  DDL  and  DML  sentence ( In addition to data query statements select、show etc. ), Recorded as an event and stored in a binary file . Although we can find the details  SQL  The execution record of , But its function is mainly master-slave replication , It cannot be regarded as an audit log .

general log  Is a full log , After opening, all arrivals will be recorded  MySQL Server  Of SQL sentence . Generally, this log will not be opened , because  log  It's going to be huge , Impact on database performance , also  general log  Will record a lot of useless information , As an audit log , Late screening is difficult .

that  MySQL  How should the community version be audited ? We found that by installing the audit plug-in  MySQL  Audit function of , Common audit plug-ins are  MariaDB Audit Plugin、Percona Audit Log Plugin、McAfee MySQL Audit Plugin  Three ,MariaDB  The built-in audit plug-in is more suitable for  MySQL  Community Edition , Now let's learn how to use the audit plug-in to realize the audit function .
2.  Audit plug-in tutorial
The first thing we need to do is start from  MariaDB  Copy the audit plug-in from the installation package , It should be noted that the operating system should be consistent , Like your  MySQL  Installed in the  CentOS  In the system , Then download it  CentOS  Systematic  MariaDB  Install the package and copy from it ,Windows  The system needs to download the audit plug-in of the corresponding system .

MariaDB  The name of the audit plug-in is  server_audit.so(Windows Under the system is  server_audit.dll ), It should be noted that , The audit plug-in has been updated , Different versions of audit plug-ins have different functions , Recommended  >= 1.4.4  Version of plug-in , The new version of plug-ins can be excluded  select  sentence . The audit events supported by different versions of the audit plug-in are shown in the following figure :



Audit plug-in version and  MariaDB  The corresponding figure of version is as follows :



MySQL 5.7  Generally, it can correspond to  MariaDB 10.2  edition , We use  CentOS  System  MySQL 5.7  Take version as an example to install the audit plug-in . What I choose to download here is  MariaDB 10.2.38  Version of the installation package ( Audit plug-in version  1.4.13), Download address :
https://downloads.mariadb.com/MariaDB/mariadb-10.2.38/bintar-linux-x86_64/mariadb-10.2.38-linux-x86_64.tar.gz

Once the download is complete , Unzip the installation package , And then to  mariadb-10.2.38-linux-x86_64/lib/plugin/  Copy it under the path  server_audit.so  file , Copy it to  MySQL  Server , The specific steps are as follows :

#  see  MySQL  Plug in storage path
mysql> show variables like 'plugin_dir';
+---------------+------------------------------+
| Variable_name | Value |
+---------------+------------------------------+
| plugin_dir | /usr/local/mysql/lib/plugin/ |
+---------------+------------------------------+

#  Add the audit plug-in  server_audit.so  Store in this path
[[email protected] plugin]# ls -lh server_audit.so 
-rw-r--r--. 1 root root 191K May 4 2021 server_audit.so

#  Change the owner and permission of the plug-in
[[email protected] plugin]# chown mysql:mysql server_audit.so
[[email protected] plugin]# chmod 755 server_audit.so
[[email protected] plugin]# ls -lh server_audit.so 
-rwxr-xr-x. 1 mysql mysql 191K May 4 2021 server_audit.so

The above are all preparation contents , For your convenience , Click the link below to download it separately  Linux 64  Bit system  1.4.13  Version of the audit plug-in : Cloud link : 
https://pan.baidu.com/s/1HO5sjKb5zpj3CiyRulV5bw?pwd=r85k
  Extraction code : r85k . Now let's start the formal installation .

#  Enter the database and install the audit plug-in
mysql> INSTALL PLUGIN server_audit SONAME 'server_audit.so';
Query OK, 0 rows affected (0.07 sec)

mysql> show plugins;
+----------------------------+--------+--------------------+-----------------+---------+
| Name | Status | Type | Library | License |
+----------------------------+--------+--------------------+-----------------+---------+
...
| SERVER_AUDIT | ACTIVE | AUDIT | server_audit.so | GPL |
+----------------------------+--------+--------------------+-----------------+---------+

#  see  audit  Initial parameter configuration
mysql> show variables like '%audit%';
+-------------------------------+-----------------------+
| Variable_name | Value |
+-------------------------------+-----------------------+
| server_audit_events | |
| server_audit_excl_users | |
| server_audit_file_path | server_audit.log |
| server_audit_file_rotate_now | OFF |
| server_audit_file_rotate_size | 1000000 |
| server_audit_file_rotations | 9 |
| server_audit_incl_users | |
| server_audit_loc_info | |
| server_audit_logging | OFF |
| server_audit_mode | 1 |
| server_audit_output_type | file |
| server_audit_query_log_limit | 1024 |
| server_audit_syslog_facility | LOG_USER |
| server_audit_syslog_ident | mysql-server_auditing |
| server_audit_syslog_info | |
| server_audit_syslog_priority | LOG_INFO |
+-------------------------------+-----------------------+

#  Open audit online
mysql> set global server_audit_logging=on;
Query OK, 0 rows affected (0.00 sec)

mysql> set global server_audit_events='connect,table,query_ddl,query_dcl,query_dml_no_select';
Query OK, 0 rows affected (0.00 sec)

mysql> set global server_audit_file_path ='/data/mysql/logs/server_audit.log';
Query OK, 0 rows affected (0.00 sec)

mysql> set global server_audit_file_rotate_size=104857600;
Query OK, 0 rows affected (0.01 sec)

# [mysqld] Add the following configuration   Make it permanent
server_audit=FORCE_PLUS_PERMANENT
server_audit_logging=ON
server_audit_file_path=/data/mysql/logs/server_audit.log 
server_audit_events=connect,table,query_ddl,query_dcl,query_dml_no_select
server_audit_file_rotate_size=104857600

Go through the above steps , We have completed the installation and configuration of the audit plug-in , Refer to official documents , Let's understand the role of the main configuration parameters :



The above parameters are easy to understand , Now let's add, delete, modify and check , Look at the contents recorded in the audit log :

#  After the operation   Check the contents of the audit log
20220512 15:17:17,mysqlhost2,test_user,10.30.21.95,118,0,FAILED_CONNECT,,,1045
20220512 15:17:30,mysqlhost2,test_user,10.30.21.95,119,0,FAILED_CONNECT,,,1045
20220512 15:20:26,mysqlhost2,test_user,10.30.21.95,124,0,CONNECT,,,0
20220512 15:20:49,mysqlhost2,test_user,10.30.21.95,124,395,QUERY,,'create database testdb',0
20220512 15:22:06,mysqlhost2,test_user,10.30.21.95,129,419,QUERY,testdb,'CREATE TABLE if not exists `test_tb0` (\r\n `increment_id` int(11) NOT NULL AUTO_INCREMENT COMMENT \' Since the primary key \',\r\n `test_id` int(11) NOT 
NULL ,\r\n `test_name` varchar(20) DEFAULT NULL,\r\n `create_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT \' Creation time \',\r\n `update_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE C
URRENT_TIMESTAMP COMMENT \' Modification time \',\r\n PRIMARY KEY (`increment_id`)\r\n) ENGINE=InnoDB DEFAULT CHARSET=utf8 COMMENT=\' test table\'',0
20220512 15:23:09,mysqlhost2,test_user,10.30.21.95,129,426,QUERY,testdb,'insert into test_tb0 (test_id,test_name) values (1001,\'4343df\'),(1002,\'dfd\')',0
20220512 15:23:22,mysqlhost2,test_user,10.30.21.95,129,433,QUERY,testdb,'delete from test_tb0',0
20220512 15:24:14,mysqlhost2,test_user,10.30.21.95,129,448,QUERY,testdb,'create table test_tb0 (id int)',1050
20220512 15:24:25,mysqlhost2,test_user,10.30.21.95,129,452,QUERY,testdb,'drop table test_tb0',0
20220512 15:25:13,mysqlhost2,test_user,10.30.21.95,126,0,DISCONNECT,testdb,,0

#  Connection audit mainly audits the connection database 、 disconnect 、 Connection failure and other operations , The log format is as follows :
[timestamp],[serverhost],[username],[host],[connectionid],0,CONNECT,[database],,0
[timestamp],[serverhost],[username],[host],[connectionid],0,DISCONNECT,,,0
[timestamp],[serverhost],[username],[host],[connectionid],0,FAILED_CONNECT,,,[retcode]

# QUERY Audit various database change events , Execution failure will also be recorded , The log record format is as follows :
[timestamp],[serverhost],[username],[host],[connectionid],[queryid],QUERY,[database],[object], [retcode]

thus , We have basically completed the initial use of the audit plug-in , We can see from the contents of the audit log , The format of the record is still very clear and detailed , Each column is required , It is easy to find the corresponding operation according to the log . Use it , I feel  server_audit  The audit plug-in can basically meet the audit needs , However, the audit plug-in also has advantages and disadvantages , The advantages and disadvantages are summarized as follows :

server_audit  Audit plug-in advantages :

  • Rich audit content : Including user connections , close ,DML operation , stored procedure , trigger , Events, etc. .
  • Flexible audit strategy : You can customize audit events , For example, filter out select Inquire about , Or exclude auditing a user, etc .
  • Flexible and convenient : It is free to use and easy to install , The audit function can be enabled and disabled online .

server_audit  Audit plug-in disadvantages :

  • Opening the audit will increase the performance cost of the database , And take up disk space .
  • The log format is not rich enough , You cannot customize the output format .

Reference resources :

  • https://www.cnblogs.com/lijiaman/p/14257861.html
  • https://www.jianshu.com/p/45b37a73e286
  • https://mariadb.com/kb/en/mariadb-audit-plugin-options-and-system-variables/
原网站

版权声明
本文为[InfoQ]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/182/202207011456178529.html